From

Thank you

Sorry

Since the malware museum opened its virtual doors in February, its collection of de-fanged DOS-based malware from the 80s and 90s has attracted nearly 1 million views. (Read the full story.) Here are the museum’s most downloaded viruses:

First discovered in 1989 and written by a Bulgarian hacker, this is a memory-resident DOS virus infecting .com and .exe files. It’s best known for the music that gave it its name; once in memory, it plays—you guessed it—“Yankee Doodle” every day at 4:00 p.m. And that wouldn’t get annoying at all, would it?

What stands out about this MS-DOS virus, which spread in newsgroups in 1997, is the cool, if primitive, topographical map of Mars (hence the name) it appears to create. Mars Land is just one variant of the Spanska virus.

Here’s an example of how virus writers used to get their delayed giggles: Once this DOS-based malware was downloaded, it lurked until the month and date corresponded (April 4, for example, or May 5), and would then trash information in the C: disk boot sector—and then add insult to injury by playing the national anthem of what was, in 1990 when Hymn was created, the USSR. Like many early viruses, Hymn had teeth; it could render a victimized PC unbootable without special utilities.

This nasty piece of work has undeniable curb appeal, manifesting as a Woodstock-era groovy-drug-trip video (no surprise there, given the name). The trouble was that while victims were giggling at the far-out video, the non-memory-resident parasitic virus was overwriting all files in their directory. It then displayed the triumphant message, “Coded By Death Dealer 4/29/94.”

This diabolically clever virus has been cited by Mikko Hypponen, the godfather of the Malware Museum, as a favorite old-school example. Victims encountered the message, “I have just DESTROYED the FAT [File Allocation Tables] on your disk!! However, I have a copy in RAM, and I’m giving you a last chance to restore your precious data.” Hapless victims then played five rounds of Jackpot, purportedly to save their files—but whether they won or lost, most variants of Casino shut down their PC, forcing them to reinstall their operating system.

This DOS virus, though most variants open with a pornographic image, was relatively harmless. Once the nasty image disappeared, Walker manifested as a man merely walking right to left across the user’s screen every 30 seconds or so. (The man was a character from a long-forgotten computer game called Bad Street Brawler, in case you’re keeping track.) Users were unable to input data during the annoying strolls, but that was the extent of the damage.

Relatively little is known about this DOS virus, but it infects nearly every .com file on infected machines. Its popularity at the museum, both Hypponen and Scott, is likely due to its spectacular manifestation; Crash fills the screen with test-pattern colors and nonsense characters, flashing alarmingly at the hapless user. “This is one of the reasons people actually remember these [old DOS viruses] fondly,” Scott says. “They’ll do a little dance for you.” You could halt the dance by pressing CTR-ALT-DEL—only to learn that your files had been wiped out.

This creepy bit of malware was, of course, inspired by The Terminator, the 1984 Arnold Schwarzenegger blockbuster. It infects all .exe files, slowing the PC dramatically. Soon, the monitor turns red and an odd, ungrammatical message (clearly, English was not the first language of this malware’s author) announces that it’s a “very kind virus.” That it may be—Skynet was not a corruptor of files—but it did slow a lot of computers and annoy a lot of users.

First discovered in 1992 and thought to originate in Sweden, this is a generally unremarkable DOS virus that inserts the text string “CoffeeShop” in infected files. It doesn’t do much other than replicate, so why is this such a popular Malware Museum download? It’s all about the visual: CoffeeShop manifests on victims’ monitors as a big green marijuana leaf, above which is written, in red, white and blue, no less: “LEGALIZE CANNABIS.” Apparently, today’s museum visitors still find the message giggle-worthy.

Number One on the hit parade, A&A infects .com files, changing the date and time stamps of infected programs to those of the infection. Visually, it clears and reprints chunks of the screen in a truly mind-numbing fashion. Originating in Russia, A&A was first spotted in 1993. The Malware Museum is hard pressed to say why this is the most frequently downloaded example. Nostalgia? Or is the explanation something as simple as alphabetical order?